Mage
マニフェスト生成・編集ツール (Mage.exe) は、アプリケーションおよびデプロイマニフェストの作成と編集をサポートする、コマンドラインツールです。Mage.exEはコマンドラインツールとして、バッチスクリプトとASP.NETアプリケーションを含む他のWindowsベースのアプリケーションの両方から実行することができます。
ヒント
When you sign a manifest file using mage, two signature units are consumed. This is because two hash signatures are created for different types of content within the manifest:
The first hash signature is generated for the manifest file itself.
The second hash signature is generated for the files referenced within the manifest.
This double-signing process ensures the integrity of both the manifest file and its referenced files, safeguarding against any tampering attempts.
Follow these instructions to sign directly using Mage and securely reference your private key stored in Software Trust Manager via our KSP library. Alternatively, integrate Mage with Signing Manager Controller (SMCTL) for simplified signing.
Prerequisites
Download and configure Windows clients installer
Mage commands and parameters
Command options supported by Mage:
Shortcut | Parameter | Description |
---|---|---|
-s | -sign | Sign a file using a keypair or a certificate. |
-v | -verify | Verify that the manifest is signed correctly. This parameter cannot be combined with other commands. 注記The verify command is only available in .NET Framework 4.7 and later versions. |
-a | -Algorithm | Specifies "sha256RSA" or "sha1RSA as the algorithm to generate dependency digests with. |
-cf | -CertFile | Provide the path to the certificate you want to sign with. |
-ch | -CertHash | Provide the certificate hash or certificate fingerprint. |
-kc | -KeyContainer | Provide the keypair alias. |
-csp | -CryptoProvider | Specify “DigiCert Signing Manager KSP”. |
-ti | -TimestampUri | Specify http://timestamp.digicert.com |
注記
When specifying a file you want to sign:
Provide only the name of the manifest file if the file is in the same location as where you are running terminal.
Provide the path to the manifest file you want to sign if the file is in a different location than where you are running terminal
Sign
You can use one of the following methods to sign binaries with Mage:
Downloaded certificate and keypair alias
Certificate fingerprint
証明書を使用してファイルに署名する
To sign, run:
mage -sign <file_name> -CertFile <file_name> -KeyContainer <keypair_alias> -CryptoProvider “DigiCert Signing Manager KSP” -a sha256RSA -TimestampUri http://timestamp.digicert.com
Command sample:
mage -sign example.exe.manifest -CertFile C:\Users\Name\Desktop\example.p12 -KeyContainer key1 -CryptoProvider "DigiCert Signing Manager KSP" -a sha256RSA -TimestampUri http://timestamp.digicert.com
Sign a file using the certificate fingerprint
鍵ペアエイリアスと証明書ファイルパスを提供する
証明書を同期させ、鍵ペアエイリアスと証明書ファイルのパスを入力してください。
To sync the default certificate associated with the specified keypair alias:
smctl windows certsync --keypair-alias=<keypair alias>
注記
For more information refer to the Windows command manual.
To sign, run:
mage -sign <file_name> -CertHash <hash_or_cert_fingerprint> -TimestampUri http://timestamp.digicert.com
Command sample:
mage -sign example.exe.manifest -CertHash f39dbe6bcfaa43ca39585aa40ab0a19bf29991cb -TimestampUri http://timestamp.digicert.com
注記
You must be connected to the Internet when signing a manifest that specifies a -TimestampUri value.
Verify signature
To verify the signed file, run:
mage -verify <file_name>
Command sample:
mage -verify example.exe.manifest
注記
The verify command is only available in .NET Framework 4.7 and later versions.